macOS如何查看已禁用的开机自启动项目


=Start=

缘由:

从安全角度来看,一个新特性是用户现在可以在系统设置中的一个位置管理登录项、启动代理和启动守护进程。以前,只有在设备启动或用户登录时才能看到执行的项目,需要使用终端或依赖第三方软件在 Finder 中查找隐藏的目录。这一直是有问题的,特别是对于 LaunchAgents,因为任何进程都可以添加一个持久化项,而不需要用户的授权或通知。

现在在 macOS Ventura 中,用户不仅可以看到哪些条目被设置为持久化,他们还可以在系统设置中单独控制它们。重要的是,当应用程序添加了一个 LaunchAgent, LaunchDaemon 或 Login Item,系统现在会产生一个通知警报。

由于 LaunchAgents 是 macOS 恶意软件中使用最广泛的持久性手段,这只能是一件好事。从安全的角度来看,对这个过程的额外可见性和控制当然是一件好事,这是我们欢迎的对 macOS 安全性的一个早就应该的重要改进。

然而,企业团队需要注意。这种防止恶意软件和误用的额外安全性也会影响到绝大多数合法使用这些项目的软件。首先,有额外的警报需要处理和解除。在某些情况下,如上面的示例,一个安装可能会产生多个警报。其次,也许更令人担忧的是,用户可能不理解在系统设置中禁用这些条目的影响。

如果你的组织使用具有此类持久性机制的基本软件,你将需要弄清楚如果用户禁用这些功能,你可能会收到什么样的支持调用。目前,尚不清楚 Ventura 的最终版本是否会包括通过 MDM 或其他机制锁定这些条目的能力,以防止用户禁用关键软件。

正文:

参考解答:

在当前macOS最新的系统 Ventura 13.2.1 上,提供了便捷的登录项管理功能(而且非常全面有效,不像以前的macOS系统,个人很难找全并禁用,有时只能通过暴力的杀进程删除目录来实现,但这么做一方面是动静太大,另一方面是也不一定能处理干净,现在好了,把可见性和主动性都交给了用户,对这方面有需求的用户应该还是挺高兴的)。

系统设置-通用-登录项
* 登录时打开
* 允许在后台

如何查看已禁用的开机自启动项目?

launchctl print-disabled system

cat /var/db/com.apple.xpc.launchd/disabled.plist

补充一些 launchctl 命令的样例:

launchctl print system
launchctl print user/$(id -u)
launchctl print user/0
launchctl print gui/$(id -u)

launchctl print-disabled system
launchctl print-disabled user/0
launchctl print-disabled user/$(id -u)
launchctl print-disabled gui/$(id -u)

==
$ man launchctl
...

     ~/Library/LaunchAgents         Per-user agents provided by the user.
     /Library/LaunchAgents          Per-user agents provided by the administrator.
     /Library/LaunchDaemons         System wide daemons provided by the administrator.
     /System/Library/LaunchAgents   OS X Per-user agents.
     /System/Library/LaunchDaemons  OS X System wide daemons.


SYNOPSIS
     launchctl subcommand [arguments ...]

DESCRIPTION
     launchctl interfaces with launchd to manage and inspect daemons, agents and XPC services.

SUBCOMMANDS
     launchctl allows for detailed examination of launchd's data structures. The fundamental structures are domains, services, and endpoints. A domain manages the execution policy for a collection of services.  A service may be thought of as a virtual process that is always available to be spawned in response to demand. Each service has
     a collection of endpoints, and sending a message to one of those endpoints will cause the service to launch on demand. Domains advertise these endpoints in a shared namespace and may be thought of as synonymous with Mach bootstrap subsets.

     Many subcommands in launchctl take a specifier which indicates the target domain or service for the subcommand. This specifier may take one of the following forms:

     system/[service-name]
              Targets the system domain or a service within the system domain. The system domain manages the root Mach bootstrap and is considered a privileged execution context. Anyone may read or query the system domain, but root privileges are required to make modifications.

     user/<uid>/[service-name]
              Targets the user domain for the given UID or a service within that domain. A user domain may exist independently of a logged-in user. User domains do not exist on iOS.

     login/<asid>/[service-name]
              Targets a user-login domain or service within that domain. A user-login domain is created when the user logs in at the GUI and is identified by the audit session identifier associated with that login. If a user domain has an associated login domain, the print subcommand will display the ASID of that login domain. User-
              login domains do not exist on iOS.

     gui/<uid>/[service-name]
              Another form of the login specifier. Rather than specifying a user-login domain by its ASID, this specifier targets the domain based on which user it is associated with and is generally more convenient.

              Note: GUI domains and user domains share many resources. For the purposes of the Mach bootstrap name lookups, they are "flat", so they share the same set of registered names. But they still have discrete sets of services. So when printing the user domain's contents, you may see many Mach bootstrap name registrations from
              services that exist in the GUI domain for that user, but you will not see the services themselves in that list.

     pid/<pid>/[service-name]
              Targets the domain for the given PID or a service within that domain. Each process on the system will have a PID domain associated with it that consists of the XPC services visible to that process which can be reached with xpc_connection_create(3).

     For instance, when referring to a service with the identifier com.apple.example loaded into the GUI domain of a user with UID 501, domain-target is gui/501/, service-name is com.apple.example, and service-target is gui/501/com.apple.example.
参考链接:

在 macOS Ventura 13.x 或更高版本上,在“登录项”中启用 Norton (在某些情况下,在“登录项”中禁用和启用 Norton 后,可能会遇到 Norton 产品扫描和 Norton 产品通知问题。要解决此问题,请退出所有打开的应用程序并重新启动 Mac。)
https://support.norton.com/sp/zh/cn/home/current/solutions/v20220916232603380

修复 Adobe Creative Cloud 的登录项问题 | macOS Ventura
https://helpx.adobe.com/cn/download-install/kb/background-processes-macos.html

在 Mac 上移除登录项以解决启动问题
https://support.apple.com/zh-cn/guide/mac-help/mh21210/mac

允许 Microsoft AutoUpdate 在后台运行
https://support.microsoft.com/zh-cn/office/%E5%85%81%E8%AE%B8-microsoft-autoupdate-%E5%9C%A8%E5%90%8E%E5%8F%B0%E8%BF%90%E8%A1%8C-93b5dd2a-2395-4780-80b6-00811b774f06

苹果全新版本macOS Ventura操作系统 macOS Ventura新功能
https://zhuanlan.zhihu.com/p/530265533

How does one check whether the OS X “disabled” flag for launchd services is set?
https://serverfault.com/questions/218402/how-does-one-check-whether-the-os-x-disabled-flag-for-launchd-services-is-set

launchctl – interface to launchd – Mac OS’s master task invoker
https://www.real-world-systems.com/docs/launchctl.1.html
https://ss64.com/osx/launchctl.html

How to completely remove a service from launchd added by mistake?
https://apple.stackexchange.com/questions/374495/how-to-completely-remove-a-service-from-launchd-added-by-mistake

macos_security/rules/os/os_httpd_disable.yaml
https://github.com/usnistgov/macos_security/blob/main/rules/os/os_httpd_disable.yaml

macOS系统的启动项
https://ixyzero.com/blog/archives/5335.html

macOS Ventura Bug Spits Out Perpetual ‘Background Items Added’ Notifications at Login, Here’s a Potential Fix
https://www.macrumors.com/2023/02/02/macos-background-items-added-notification-bug/

Perpetual “Background Items Added”
https://discussions.apple.com/thread/254341579

How to Stop Background Items Added notifications in macOS Ventura?
https://www.fireebok.com/resource/how-to-stop-background-items-added-notifications-in-macos-ventura.html

=END=


《 “macOS如何查看已禁用的开机自启动项目” 》 有 6 条评论

  1. Controlling Login and Background Items in Ventura
    https://eclecticlight.co/2023/02/15/controlling-login-and-background-items-in-ventura/
    `
    # Background problems

    Background Items aren’t likely to cause problems on a shiny new Apple silicon Mac that hasn’t been migrated from a previous system, unless you install software which didn’t follow the old rules, let alone the new ones. The best solution then is to thoroughly remove or uninstall that software, and install something more up-to-date and better behaved.

    It’s Macs with a longer history, perhaps inherited by migration, that are more likely to annoy you with spurious notifications, and to contain bizarre and unidentifiable Background Items.

    The nuclear solution is to blow the whole lot away, and start from scratch, but if you don’t then delete those old apps and their components, including property lists and support files tucked away in Application Support, LaunchAgents and LaunchDaemons folders in Library folders, then many will return to haunt you. To remove all third-party Login Items and reset to installation defaults, you can use the undocumented command

    sudo sfltool resetbtm

    This uses a command tool originally intended to manage the Shared File List, which seems to have gained additional features covering Service Management, although its man page hasn’t caught up yet and the most help you’ll get is from its usage info.

    A better and more systematic approach is to obtain a detailed listing of all those Background Items, and uninstall or delete those you no longer need, or are just old and unnecessary. For this, you need a BTM dump, using another undocumented option to the sfltool command:

    sudo sfltool dumpbtm > ~/Documents/btmdump.text

    to write it to the text file btmdump.text in your Documents folder. This file is also invaluable if you’re going to nuke Login Items in a reset, as it provides a record of what you might need to restore afterwards.
    `

  2. 在 Mac 上管理登录项和后台任务
    https://support.apple.com/zh-cn/guide/deployment/depdca572563/web
    `
    在 macOS 13 之前的版本中,帮助程序可执行文件的应用程序设计过程的一部分所包括的脚本会基于服务类型,将一个或多个属性列表安装到特定目录中。在 macOS 13 或更高版本中,App 捆绑包中的新架构通过更新较低版本 macOS 中的帮助程序可执行文件,简化了登录项和关联属性列表的安装。**当你在 Mac 上配置登录项、启动代理和启动守护程序时,此框架会用于为用户提供透明度**。此框架会使用 SMAppService 对象来控制 App 主捆绑包中的帮助程序可执行文件。此框架还可用于将登录项、启动代理和启动守护程序注册为 App 的帮助程序可执行文件并进行控制,且**可配合所有类型的 App 使用,不论 App 通过何种方式安装**。

    # 识别使用后台任务管理的 App

    导航至“系统设置”>“通用”>“登录项”,以查看通过新框架注册的项目列表。若要查看已启动的项目,请点按“信息”按钮。

    通过“控制台”和“终端” App 中的命令行工具来收集重要的系统信息,还原测试数据和监控活动。

    sfltool dumpbtm:打印登录项和后台项的当前状态,包括载入的 servicemanagement 有效负载 UUID。此命令的输出结果应该连同“报告反馈”部分中列出的其他项目一起包括在你提交的任何反馈中。

    sfltool resetbtm:还原登录项和后台项数据。如果在测试间使用此命令,建议用户也重新启动自己的电脑。

    若要在“控制台”中监控登录项和后台项管理活动:按 subsystem:backgroundtaskmanagement 和 category:mcx 筛选,或在“终端”中使用以下命令来流传输日志:

    log stream –debug –info –predicate “subsystem = ‘com.apple.backgroundtaskmanagement’”

    AppleSeed for IT 中提供的 Mac 评估实用工具 v4.3.0 或更高版本可生成返回详细信息的测试结果,与 sfltool dumpbtm 类似。这些登录项、启动代理或启动守护程序测试会使用 macOS 中的登录项和后台项管理来报告当前安装的应用程序。这些测试结果会格式化并与其他 Mac 评估实用工具测试内联在一起,并且可以导出为带分隔符的文本文件以供后续分析。

    # 为后台任务管理使用 XML 配置描述文件

    应用程序 BundleIdentifier:要匹配的应用程序捆绑包标识符(也称为捆绑包 ID),必须完全匹配。

    应用程序 BundleIdentifierPrefix:要匹配的应用程序捆绑包 ID 的前缀。

    开发者 TeamIdentifier:代码签名属性的团队标识符(必须完全匹配)。

    服务标签:要匹配的 launchd .plist Label 参数的值(必须完全匹配)。

    服务 LabelPrefix:要匹配的 launchd .plist Label 参数的前缀。
    `

  3. com.apple.servicemanagement.yaml
    https://github.com/apple/device-management/blob/release/mdm/profiles/com.apple.servicemanagement.yaml
    `
    title: Service Management – Managed Login Items
    description: Control the user experience for ServiceManagement login items (including launchd agents and daemons) in Login Items Settings.
    payload:
    payloadtype: com.apple.servicemanagement
    content: This payload defines rules for tagging login items as managed, which will auto-enable and auto-allow matched items.
    `

    Manage and enforce custom Login and Background items in macOS Ventura
    https://macblog.org/manage-custom-login-items/

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注